Re: BUG #16106: Patch - Radius secrets always gets lowercased
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Marcos David <mdavid@palantir.com>
Cc: "pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2019-11-12T16:33:46Z
Lists: pgsql-bugs
Marcos David <mdavid@palantir.com> writes: > On 11/11/2019, 20:24, "Tom Lane" <tgl@sss.pgh.pa.us> wrote: >> I'm hesitant to back-patch a change like this, because in theory >> it could change a working configuration into a non-working one. >> But it'd be sensible to do in HEAD. > We only noticed this because we were upgrading from 9.6 and it seems this bug was introduced in 10 in this commit: > https://github.com/postgres/postgres/commit/6b76f1bb58f53aec25cfec76391270ea36ad1170 Oh! Hm, if it can be painted as a regression, that changes the calculus a bit. In that case I'd be inclined to go ahead and back-patch. > I don't think patch would break anything in current configs since the secret would currently need to be lowercased anyway for the radius auth to work. The case I was imagining was where the secret was entered in the PG configuration with some uppercase letters, but the server actually expects lowercase, so the forced lowercasing makes it work. I admit that's a bit of a stretch, but if it had always worked like that then it's at least possible someone was relying on the behavior. But if we changed the behavior from correct to less correct, that's another story. BTW, it looks to me like it should work to double-quote the secret, although doing so is really tedious because there is an additional layer of double-quoting required by the pg_hba syntax: host ... radiussecrets="""ServerSecret"",""OtherServersSecret""" However, while you can defeat the downcasing that way, you can't bypass the truncation to NAMEDATALEN. So it's arguably broken even if this point had been documented, which it was not, at least not in any adequate way (the reference to quoting in the docs is mighty unclear to my eyes, and for sure it doesn't give a working example). Unfortunately, we've missed the window to get it into this week's releases, but I'll see about getting this committed after the release cycle finishes. regards, tom lane
Commits
-
Avoid using SplitIdentifierString to parse ListenAddresses, too.
- 7bf40ea0d028 13.0 landed
-
Avoid downcasing/truncation of RADIUS authentication parameters.
- d9802590a1b3 12.2 landed
- d66e68207e99 11.7 landed
- 7618eaf5f315 13.0 landed
- 4be69e2ea14d 10.12 landed
-
Support multiple RADIUS servers
- 6b76f1bb58f5 10.0 cited